Over the last 24 hours, the cryptocurrency community has been discussing a critical vulnerability that was found in the Bitcoin Core (BTC) reference client. A bug introduced in Bitcoin Core version 0.14, that also affects all subsequent versions, could have caused a great majority of current Core nodes to crash. According to the developer’s Optech newsletter, Core contributors released a patch that fixes Core version 0.16.2 and the latest 0.16.3 fix requires an immediate upgrade.

An Anonymous Individual Discloses a Critical Bug Found in Bitcoin Core Clients

The whole community is talking about a vulnerable bug that was introduced into the Bitcoin Core reference client two years ago. The issue found in Bitcoin Core software (patched now) versions 0.14 and above has brought about another heated discussion concerning the fallibility of developers, and using a single reference client as opposed to using multiple implementations. The bug in question went unnoticed for two years when it was introduced in November of 2016 and a great majority of Core contributors accepted (ACK) the change without many questions.

According to developers, the bugs’ patch release notes, and the Optech newsletter, an anonymous individual reported the bug to Core contributors. Essentially, the vulnerability found in Bitcoin Core software would have allowed a malicious actor with a mere 12.5 BTC to crash roughly 90 percent of Core nodes. The Fast Internet Bitcoin Relay Engine (FIBRE) baked into Core would have made matters worse because of the way FIBRE propagates blocks.

“[CVE-2018-17144] A bug introduced in Bitcoin Core 0.14.0 and affecting all subsequent versions through to 0.16.2 will cause Bitcoin Core to crash when attempting to validate a block containing a transaction that attempts to spend the same input twice,” explains the Optech newsletter.

Such blocks would be invalid and so can only be created by miners willing to lose the allowed income from having created a block (at least 12.5 XBT or $80,000 USD).

Are Bugs and Exploits a Compelling Argument for Multiple Clients?

Of course, the bug started a ferocious debate in regard to the BTC community putting Core developers up high on a pedestal all these years. Further, the bug re-invoked a compelling argument for multiple clients. For example, Bitcoin ABC released a patch for the vulnerability two days ago, but both Bitcoin XT and Bitcoin Unlimited were unaffected by the issue. On Reddit Bitcoin Unlimited’s Peter Rizun has emphasized this is why having multiple implementations is a good idea.

“Wow, isn’t this one of the most serious consensus bugs ever? It affects all BTC Core nodes and the only thing preventing unbound inflation is the fact that the nodes crash, taking down the entire BTC Core network instead,” Rizun says on September 19.

Maybe multiple implementations aren’t such a bad idea, after all, Greg Maxwell? I think only ABC is affected for Bitcoin Cash.

The issue people have with a majority dependence on one reference client, is because some people say history has shown that alternative clients can be very beneficial when critical bugs are discovered, like the one introduced in Bitcoin Core 0.14. For instance, when over the last couple of years consensus bugs were found in Ethereum’s Geth, the network still had Parity clients to rely on and vice versa.

Left: BTC nodes — Right: BCH nodes.

At the time of writing, there are 9628 nodes running on the BTC network and 9135 are Bitcoin Core nodes. That’s 94 percent of the BTC network running one reference client and every node is affected by any issues found within Core’s codebase. This means bugs not only have to be fixed fast, but mandatory upgrades have to be speedy too. In contrast to the BTC network dominated by Core nodes, there are currently 2006 nodes running on the BCH network but only 59 percent are Bitcoin ABC nodes. So much like the ETH network, client diversity gives BCH 738 Bitcoin Unlimited (BU) nodes covering 39 percent of the network.

Additionally, according to a comment on r/bitcoin, Lightning Nodes could also be vulnerable to attacks due to the recent Bitcoin Core bug.

The recent bug confirms to many cryptocurrency proponents that being dependent on one development team’s QA process, as opposed to client diversity and multiple development teams, can be extremely risky — Especially when an exploit like this is found in production and tethered to a $100 billion dollar system.

What do you think about the bug found? Do you think multiple clients is a better way to avoid bugs and exploits? Let us know what you think about this story in the comment section below.

Drivechain developer Paul Sztorc has the cryptocurrency community riled up over his latest blog “Security Budget in the Long Run.”… read more.

Jamie Redman

Jamie Redman is a financial tech journalist living in Florida. Redman has been an active member of the cryptocurrency community since 2011. He has a passion for Bitcoin, open source code, and decentralized applications. Redman has written thousands of articles for news.Bitcoin.com about the disruptive protocols emerging today.

In Case You Missed It

Meet Memopay, the Bitcoin Cash Advertising Model That ‘Pays for Attention’. There’s a different kind of advertising taking place on the Bitcoin Cash (BCH) network, using an application called Memopay… read more.

The Bitcoin.com Wallet: Available on all platforms

Download the Bitcoin.com Wallet right to your device for easy and secure access to your bitcoins. Perfect for beginners, the Bitcoin.com Wallet makes using and holding bitcoins easy. No logins required.